2.1 Exchange/Password bypass Updated 4-7 - Hero CDMA Themes and Apps

Exchange/Password
Now with Android 2.1 it now makes me use a password word. Is there a way to bypass this as it is annoying, or maybe use a pattern instead?
With 1.5 i didn't have to use a password, but with 2.1 now i do.
This works
just thought i would update with my latest info. So here is the scoop. You can disable the exchange password lock and have it survive reboot/and mail checks. To do this follow these steps:
[APP] LockPicker - disable Exchange lock screen [30-03-2010]
Hi all,
"j0bro"
Just whipped an app together that disables the Exchange lock screen as soon as the server has enforced its policy by using a background service and an observer on the system setting. This requires no polling, scripting, etc. and survives reboots/enforcements
If you want to use the pattern lock follow the next steps if not just skip the next steps., First set the lock pattern before you setup your exchange server, Then after you set your pattern lock setup your exchange and it will ask you to set your password after complete download Lockpicker in the market and install & run. Iit will bypass the Password lock and the pattern will now work.
Or
klaus27
Originally Posted by klaus27
Ok, my app is ready. I have sent it to tamburylar for testing.
Version 1.0 is ready for testing. Working with HTC Sense. Waiting for reply for Milestone support. HERE
__________________
HTC Sense or Motorola Droid with Exchange and password policy? Get rid of it: http://forum.xda-developers.com/showthread.php?p=6044673

networx2002 said:
Exchange/Password
Now with Android 2.1 it now makes me use a password word. Is there a way to bypass this as it is annoying, or maybe use a pattern instead?
Click to expand...
Click to collapse
Not sure what you're trying to say here...
I'm using Exchange through my work, and the process is exactly the same as it has been on 1.5. Can you clarify your issue? Thanks!

networx2002 said:
Exchange/Password
Now with Android 2.1 it now makes me use a password word. Is there a way to bypass this as it is annoying, or maybe use a pattern instead?
Click to expand...
Click to collapse
This has to do with the exchange active sync policies your IT dept has implemented. I believe you can remove that option from EAS on the exchange server.
As a workaround, you can use touchdown for your exchange needs as it doesnt lock down your phone but just your exchange email.

swornenemy said:
This has to do with the exchange active sync policies your IT dept has implemented. I believe you can remove that option from EAS on the exchange server.
As a workaround, you can use touchdown for your exchange needs as it doesnt lock down your phone but just your exchange email.
Click to expand...
Click to collapse
Thanks,
With 1.5 i didnt have to use a password, but with 2.1 now i do.
Thanks

networx2002 said:
Thanks,
With 1.5 i didnt have to use a password, but with 2.1 now i do.
Thanks
Click to expand...
Click to collapse
Yeah android 2.1 is more EAS compliant and can actually do remote wipes if you ever lose your phone which is nice. I did this on my hero and it wacked everything off and would only boot into recovery. Thank god for nandroid.
Be advised that if you enter your password wrong 10 times, (provided that you are still using the built in android exchange support) it will format your phone as well.

I've got it backup, Just hate to have to unlock it all the time.
Wish they would let you use a pattern

networx2002 said:
I've got it backup, Just hate to have to unlock it all the time.
Wish they would let you use a pattern
Click to expand...
Click to collapse
I am in the same position as you. Delete your exchange account and use touchdown for your exchange mail. This way it doesnt require you to use a pin to use your phone except when accessing your exchange mail through touchdown

swornenemy said:
I am in the same position as you. Delete your exchange account and use touchdown for your exchange mail. This way it doesnt require you to use a pin to use your phone except when accessing your exchange mail through touchdown
Click to expand...
Click to collapse
i have never been able to get touchdown to work for me

Just thought I'd join this thread, as I was shocked to find the exchange password on 2.1 too. Personally I love the idea of password and secure wipe, but the problem is the keypad is so difficult to type passwords on it takes me forever to login. I prefer just using the sliding password. And lets face it if someone wants into your password protected phone all they need is a USB cable, laptop, and SDK and they can bypass it.
To this end I've been playing with a way to bypass the password and I have been somewhat successful. I am VERY new to this stuff I've been basically teaching myself as I go, so if there are any experts around with an interest please feel free to take this knowledge and run with it.
** DISCLAIMER ** I've no idea what this will do to your phone or your email so make sure you backup, i've had no problems with any of these settings and I've always been able to just delete the exchange account and readd it when there was a problem. That being said.. you've been warned, Backup. Also bypassing your companies pointless security measures may be dangerous and cause for termination.
To get started you'll need the SDK and working ADB. It appears all the exchange info is stored in a database file that you can read/edit with sqlite3. Here is what I've found so far:
adb shell (probably need root, not sure)
cd /data/data/com.android.providers.settings/databases
sqlite3 settings.db
Optional sqlite3 settings to make reading easier:
.headers on
.mode column all
.width 2 40
There are two tables of interest here:
select * from secure;
select * from system;
The following update commands are what I used:
update secure set value=0 where name='DevicePasswordEnabled';
** This command will turn off the DevicePasswordEnabled and let you use a slide unlock pattern, but the password is still set from before.
update system set value=0 where name='lockscreen.lockexchange.enable';
** This command is the magic, I found out by watching logcat that when you unlock your phone it does an IF check on this variable and if it's set then it requires you to enter a password. Once this is set to 0 it skips the password and will ask for your slide unlock pattern instead. If you don't have an unlock pattern it will just jump to your home screen.
update secure set value=0 where name='MaxInactivityTimeDeviceLock';
** This one isn't too critical but I found it and thought I would share it. It basically removes the Exchange requirement for a idle timeout.. mine was set to 30 mins which was perfectly reasonable, but I removed it anyway.
Now once you run these update commands the changes are "done" no need to reboot or do anything special (don't even need to quit sqlite3) if you try to unlock your phone it might ask for a password the first time but enter it and lock the phone again. When you try to unlock it now the password has been removed. WOOOT!!
Now if you recall at the begining I mentioned that I've been "somewhat" successful, this fix appears to work perfectly and survives Mail client refreshes and reboots. BUT to my dismay every morning when I wake up and unlock my phone I'm presented with the same "You must enable security settings" msg from exchange. When you click OK it resets all the changes we made and we are back to square one and have to unlock it again.
I am guessing there is some type of refresh of the Exchange provisioning. I've not found how to disable this as of yet. I'm presently playing with the files located in /data/data/com.htc.android.mail/app_config it appears to store all the provisioning data in a file called eas_provision.prefs. I've just tried to change the two changes we made in this file in the hopes that perhaps it looks here to compare against the database settings and if it finds a difference it refresh, but I have my doubts.
Unfortunately I cannot test this until morning as I've found no way to replicate whatever causes the exchange security check.
My guess however is that the mail client itself is re-requesting the security settings.. if thats the case we'd have to either "decompile the mail cient" which I don't have the expertise to do. Another option might be to try using an older mail client (assuming this is where the check is).
I hope this helps some folks out there, please share comments and questions hopefully we can find a good solution. Remember my objective isn't to bypass the security completely but utilize the slide unlock which I feel is just as secure as the password (thought I am not certain if the wipe will happen with the slide unlock).
Good Luck

My employer is one of the paranoid companies that require the full password, so I'm also pretty interested in the answer. Changing values in the database show promise, but we'll need to see how this impacts what data is sent back to Exchange. For example, if I change the value to not requiring a lockscreen password, does Exchange know? If so, I get in trouble with Exchange admins, and they probably wipe my phone at their will. Ultimately, the device sends data back to Exchange, and the real solution is to find where the connection between Exchange and the lock screen is, and cut the cord.
For what it's worth, on the Pre this was handled in the lockscreen app and not anywhere near Exchange. The result was bypassing the lockscreen app altogether (return true; - elegant, right?), but that wouldn't meet the needs here of still having something. Once I get it reflashed with Damage's ROM tonight, I'll be playing with this.
And for the record - I'm also not trying to work around security policies enacted by my employer. This is purely for research and educational purposes.

say I wanted to go the other way, my Exchange server doesn't require a password but I want to use a pass... will following inverse instructions enable the policy?

networx2002 said:
Exchange/Password
Now with Android 2.1 it now makes me use a password word. Is there a way to bypass this as it is annoying, or maybe use a pattern instead?
With 1.5 i didn't have to use a password, but with 2.1 now i do.
Click to expand...
Click to collapse
My company has the security enforced on our Exchange server. Keyguard Disabler (look it up in Market) will do this, but it also disables the slide-to-unlock. You can toggle it on and off as you need it.
-Daryel

Ill have to try it.

Installed Keyguard Disabler from the market and it works great. Well worth the buck 50. Buggy when set to auto start on boot so I just put in the password once at boot and run the app. Completely bypassed the lock enforced by my exchange server.

Hell, I just logged into my Exchange server and disabled the pin requirement.....

tamburylar said:
Now if you recall at the begining I mentioned that I've been "somewhat" successful, this fix appears to work perfectly and survives Mail client refreshes and reboots. BUT to my dismay every morning when I wake up and unlock my phone I'm presented with the same "You must enable security settings" msg from exchange. When you click OK it resets all the changes we made and we are back to square one and have to unlock it again.
I am guessing there is some type of refresh of the Exchange provisioning. I've not found how to disable this as of yet. I'm presently playing with the files located in /data/data/com.htc.android.mail/app_config it appears to store all the provisioning data in a file called eas_provision.prefs. I've just tried to change the two changes we made in this file in the hopes that perhaps it looks here to compare against the database settings and if it finds a difference it refresh, but I have my doubts.
Unfortunately I cannot test this until morning as I've found no way to replicate whatever causes the exchange security check.
My guess however is that the mail client itself is re-requesting the security settings.. if thats the case we'd have to either "decompile the mail cient" which I don't have the expertise to do. Another option might be to try using an older mail client (assuming this is where the check is).
I hope this helps some folks out there, please share comments and questions hopefully we can find a good solution. Remember my objective isn't to bypass the security completely but utilize the slide unlock which I feel is just as secure as the password (thought I am not certain if the wipe will happen with the slide unlock).
Good Luck
Click to expand...
Click to collapse
I remember from the windows mobile days that most exchange servers automatically refresh the policies each night just after midnight. I used to have a program that ran every so many minutes that looked for that policy to be set and would unset it again. Maybe we can get a DEV here to write us a program that runs in the background on android that will chech and apply your changes above at some periodic amount of time. I would donate for it.

kranz68osu said:
I remember from the windows mobile days that most exchange servers automatically refresh the policies each night just after midnight. I used to have a program that ran every so many minutes that looked for that policy to be set and would unset it again. Maybe we can get a DEV here to write us a program that runs in the background on android that will chech and apply your changes above at some periodic amount of time. I would donate for it.
Click to expand...
Click to collapse
That would be nice

magic answer to fixing this password stuff
i had the same problem with my work email server, i tried touchdown, didnt like. here's th eanswer people, download lockbot, the free version , from the market. use it, and if your like me, you will have no problem.
damn it feels good to finally help and not be helped by these forums. lol. hope i tworks. post back

ukcatsfan said:
i had the same problem with my work email server, i tried touchdown, didnt like. here's th eanswer people, download lockbot, the free version , from the market. use it, and if your like me, you will have no problem.
damn it feels good to finally help and not be helped by these forums. lol. hope i tworks. post back
Click to expand...
Click to collapse
Downloading now

It works. Thanks
one happy hero user

Related

[Q] Exchange email and disabling the device administrator

There have been ways to get around a corporate exchange device administrator for other devices. Anyone know what can be done on the xoom?
Since adding my exchange account, I now have a required lock screen code, and required display time out, and the possibility of a remote wipe.... Probably familiar to some of you.
The standard lock screen was so cool!!!!! Arrrrr
The techniques I've seen before included an app that disables the device admin, or an email.apk with the exchange security removed.
Mine did the same thing. Its a security setting that needs to be in place based on the Exchange server settings. My Droid X needs a lock code as well.
It is actually a good thing for me, due to the fact I keep work info on it. Frustrating but necessary.
Yes, I have the email.apk on my Captivate that bypasses this screen lock. THough it has other deficiencies like width problems in the email and the links in an email don't work. But getting the email and responding works fine. Maybe try out the email.apk for the phone and see how it looks. You can always revert. I think no matter what, you are going to have to get a hacked version to bypass the exchange permissions options that a corporate admin can impose. The guy that hacked the email.apk has a paid program that probably fixes all the bugs in his free app.. and I hear he is very good about refunding within the first 24 hours if the program doesn't work as expected. Might be something to try.
You are the reason the exchange admins at my workplace don't want to support android users.
If you're placing corporate information on your personal computer, you should secure it properly.
Sent from my PC36100 using XDA Premium App
Bauxite said:
You are the reason the exchange admins at my workplace don't want to support android users.
If you're placing corporate information on your personal computer, you should secure it properly.
Sent from my PC36100 using XDA Premium App
Click to expand...
Click to collapse
100% agreed. I did not know there was a way round this and if there is, I will not be supporting Android devices on our corporate network. I will continue to support it for private use but not corporate.
There is a way around everything. You can't just blame android. As admin you should randomly check devices to ensure the security measures are in place anyways. The users have to sign an agreement and if there a caught breaking the rules then the will suffer the consequences. Don't blame android because you too lazy to enforce your policies. You going blame windows when a user downloads torrents that contains malware?
Sent from my Xoom using XDA Premium App
Bauxite said:
You are the reason the exchange admins at my workplace don't want to support android users.
If you're placing corporate information on your personal computer, you should secure it properly.
Sent from my PC36100 using XDA Premium App
Click to expand...
Click to collapse
OK, Thanks!
Except I can add the exchange mail to my laptop and save the password. There is no enforcement of my Windows login, screen saver, or the possibility of my laptop being wiped. I don't think the device admin is a good fit for a tablet, whereas a phone is a little different.
You guys are supposed to back me up here.
What was the name of the email.apk and paid app for the Captivate?
Weird. Im using touchdown and it didnt make me enter a lock password
Pitnefor said:
Weird. Im using touchdown and it didnt make me enter a lock password
Click to expand...
Click to collapse
Depends on the server settings that your admin has setup.
Here is the 'less supported' email client apk.
http://forum.xda-developers.com/showthread.php?t=775007
His paid for program is called Enhanced Email.
https://market.android.com/details?id=com.qs.enhancedemail&feature=search_result
Here is his website with forum stuff.
http://quantumsolutions.us/forum/
As far as IT having issues with this because of android.. my last Windows phone didn't have any type of security to force a password. So I agree its not an Android issue. Plus, some people can use IMAP to get their corporate data which also doesn't impose security passwords. Not saying it is the right thing to do (get email without locking down the phone) or not, just saying it can be done and here is how. You guys are big boys and girls.. make your own decisions.
eaglecomm said:
As far as IT having issues with this because of android.. my last Windows phone didn't have any type of security to force a password. So I agree its not an Android issue.
Click to expand...
Click to collapse
Which Windows phone is that? All WM phones that support EAS (WM5 and later) supports exchange policies. Whether or not a password is required totally depends on your Exchange Server policy. WM phones also support email encryption policy which wasn't supported on iPhone until 3GS and never supported on any Android OS.
Plus, some people can use IMAP to get their corporate data which also doesn't impose security passwords. Not saying it is the right thing to do (get email without locking down the phone) or not, just saying it can be done and here is how. You guys are big boys and girls.. make your own decisions.
Click to expand...
Click to collapse
Any corporate that requires password and other security policies also disables IMAP and POP3 access to their exchange server.
Any incompetent corprate IT that left IMAP enabled probably also doesn't require any password policy either.
foxbat121 said:
Which Windows phone is that?
Click to expand...
Click to collapse
Tilt2
foxbat121 said:
Any corporate that requires password and other security policies also disables IMAP and POP3 access to their exchange server.
Any incompetent corprate IT that left IMAP enabled probably also doesn't require any password policy either.
Click to expand...
Click to collapse
It would seem your second statement here overrides your first. I am not here to debate what they SHOULD be doing. I am stating the current state (or what was the last time I tried IMAP).
Whether they are incompetent or not is not for me to decide. You all seem to have enough opinions of your own for me to worry about changing your minds.
How 'bout we get back on topic?
Security is in place for a reason. Incompetence on the part of your IT dept is one thing, but deliberately trying to circumvent an enforced policy just because you don't really like the look of a lock-screen is another. Should be an interesting meeting with HR when an unsecured device (via security circumvention) is lost with confidential company data.
Just because you can do something doesn't mean you should. So what if your admins weren't bright enough to disable IMAP/POP3 access, if they are enforcing mobile security, respect it.
In my experience, the same people that complain about security are the ones that lose their phones or laptops the most, and also stay silent when proper security measures save their butts from losing their jobs.
eaglecomm said:
Tilt2
Click to expand...
Click to collapse
Tilt2 definitely supports all the Exchange policy, all the way down to SD care encryption policy and domain enrollment policy. The fact is your 2-year old WM phone is actually much more secure at enterprise level than your fancy new Android system. This is one area that Android currently lacks.
I'm not saying the Tilt2 didn't support it... was just making the statement that it didn't have it on it because it wasn't forced. Hell, I didn't even know it was an option until I had to use an iPhone for a few months and it forced the lock screen.
And it had nothing to do with the way it looked. It has to do with everytime I want to use my phone, I had to enter in a code. There was no way to set it (that I could find) that it would only turn on the lock after being off for, say, 10 minutes. Which means if I hit the power button by accident. Locked. No matter what, as soon as the screen went black.. locked.
Anyways, I'm not looking to pick a fight.. just stating things. I figure it's a free world. Once people start enforcing every part of your life, it won't be. I am sure everyone on this forum has passed the speed limit in their car (and probably do a typical basis). Rule broken.. there for your safety.. yada yada yada. Do what you like.. hence why I moved to Android from apple.
eaglecomm said:
And it had nothing to do with the way it looked. It has to do with everytime I want to use my phone, I had to enter in a code. There was no way to set it (that I could find) that it would only turn on the lock after being off for, say, 10 minutes. Which means if I hit the power button by accident. Locked. No matter what, as soon as the screen went black.. locked.
Click to expand...
Click to collapse
That I have to agree. WM5.0 did the right way but starting from WM6.0, it basically locks the phone all the time whenever screen goes dark. Now Android 2.2 and later does the same thing. It seems to be some kind of security precaution.
Anyways, I'm not looking to pick a fight.. just stating things.
Click to expand...
Click to collapse
Not to pick a fight either. Simply correcting your misconception.
I figure it's a free world. Once people start enforcing every part of your life, it won't be. I am sure everyone on this forum has passed the speed limit in their car (and probably do a typical basis). Rule broken.. there for your safety.. yada yada yada. Do what you like.. hence why I moved to Android from apple.
Click to expand...
Click to collapse
No one is forcing anything upon you. You have the choice not to receive company emails. However, if you do elect to receive business emails, companies have the right to enforce whatever security measure it deems necessary. Company emails often contain a lot of sensitive information and even maybe trade secrects. If your phone is accidentally lost and without the proper protection, anyone could take advantage of those information stored on your phone. And if your company found out that the information leak is from you because you circumvented the security policy, you will be in deep trouble
iPhones before 3GS and most Android phones before 2.2 actually cheated a lot of the EAS security policy by falsify policy query reponse. Basically, if your exchange server has a policy to require support of email encryption on device, old iPhones running old iOS and a lot of Android phones running old Android will repond as 'YES, supported' but in reality they don't have such support at all. Apple fixed this after 3GS release (3GS and newer do support email encryption) and Google fixed it in Android 2.2 OS by correctly respond 'No, do not support such policy". A lot of big corporations do enforce email encrytions.
foxbat121 said:
Not to pick a fight either. Simply correcting your misconception.
Click to expand...
Click to collapse
No worries.. no misconception. I just stated my phone didn't have it. Which it didn't (in terms of forced security that was implemented). Likely a corporate decision, but it still didn't have it.. which is what I said.
foxbat121 said:
No one is forcing anything upon you. You have the choice
Click to expand...
Click to collapse
Agreed.. choice.. at least this far in life.. is ours.
I can understand the need for having security measures in place... by why the he77 would those permissions need to include the ability to wipe my device?
I'm rather disappointed to see how many of you are unhelpful in a forum full of people who do this exact same thing in various applications. To answer your question, I use Blue Mail to bypass this silly corporate requirement and I actually like it a lot better than Outlook. Its also free.

What's available?

My phone is both unlocked and rooted. I couldn't stand the crap. I just froze it since all the apps I want install on the card anyway.
With this leak for Android (which Google is patching) is there any app or ROM that will make password entry required (no saved passwords - I don't save them on the computer, so it's no hardship)
I do have wifi calling, and I will use it over public wifi. I go to places where I get one bar at the most, and the motel has free wifi. I want my pet sitters and house watcher to be able to contact me at any time. My daughter moved to England, so I need Skype, and Skype only works on wifi on Android.
I don't use Picasa, sync the calendar, but I don't want my contacts to be bothered if that is what a hacker has in mind. There is no personal info saved on my phone. I also don't game. I don't watch movies.
Also, I would like a firewall. I have both Bing and Groupon banned in the firewall and in the hosts file. Bing is getting too far ahead of itself. It's allied with Yahoo and I do have a Yahoo mail account.
I use the phone as a PDA reference guide, and the processor speed and screen is why I bought it. I have frozen all the social apps and I might delete them. The phone has been working super since it's been rooted and I enjoy it.
Thanks,
Zuben
I am not sure what you are exactly asking?
You mention password entry? If you are talking about accessing the phone, there is the lockscreen that you can either password enable or choose a pattern to lock the device.
You also mentioned about a firewall? There is webroot security which you can manage things. But, you said that you blocked a few things already? I dont understand.
fknfocused said:
I am not sure what you are exactly asking?
You mention password entry? If you are talking about accessing the phone, there is the lockscreen that you can either password enable or choose a pattern to lock the device.
You also mentioned about a firewall? There is webroot security which you can manage things. But, you said that you blocked a few things already? I dont understand.
Click to expand...
Click to collapse
I want the apps to ask for a password - not the phone. If I use app market I want to log in every time - do not save the password.
Google mail and Tmobile I could stop from automatic sync. I don't want them syncing automatically unless it's a needed function.
Example: I got a list of updates today, and I can't block the ones I don't want.
There's one in the list for Youtube and Youtube is frozen. So is Facebook. So I didn't allow the updates.
So does anyone have a custom ROM or an app that does this? And where do you find info on webroot security?
Unfortunately the SGS4G is still in its early stages of development, there are a couple good roms out there but they are still stock and not custom, however they do improve the performance of the phone. As for what your asking for, no there are no roms that do this yet
dsexton702 said:
Unfortunately the SGS4G is still in its early stages of development, there are a couple good roms out there but they are still stock and not custom, however they do improve the performance of the phone. As for what your asking for, no there are no roms that do this yet
Click to expand...
Click to collapse
Thanks, do you think there will be one?
How far can developers go to get rid of stuff?
I saw this:
http://www.usatoday.com/tech/news/2011-05-09-emergency-alerts_n.htm
and I don't want it. Especially presidential alerts. I would guess that the final version isn't out yet, but I'm curious. I think it would eventually lead to abuse.
I buy my phones for my own reasons and use them in my own way, so I'm not your typical user. I see the phone as a PDA, only voice/text is communication.
The rest is all my required information at my fingertips, and the new screens and processors on the phones are great.

[App] 2 Factor Authentication for Windows alpha UPDATE: Now Vista/Win7 ready

2 Factor Authentication for Windows alpha
Hey folks,
this is my alpha preview of my 2Factor Authentication App for Android/Windows.
Disclaimer: By installing this app you will possibly harm your Windowssystem.Expect many bugs in the Phone app, but especially in the Windows app. Use it at your own risk. By downloading the app you agree to this.
This app could make Windows unusable*
*Well, better use Linux or Mac anyway.
What does this app do?
It adds a second screen after you entered your password, asking for a pin. This pin can be generated by your mobile phone and only used once.
The screen will open everytime you login, even after Standby/Hibernate/LockScreen.
Who should use it?
Paranoid people like me, especially these that own a laptop. If someone gets your windowspassword via keylogger or phishing, he still can't login.
In addition you could use the Windows auto-login (loads up all your autostarts) and would be still required to enter a code.
Who shouldn't use it?
People who are working with restricted rights (no Admin/root rights!), as these won't get past the login screen ;-) (might be fixed in final).
People who have multiple accounts on their computer, as every user is required to enter the same pin (will be fixed in final).
People who think this adds an extreme amount of security. Even though it does work in failsafe mode, there are some ways to get around it. If the "bad guy" has physical access to your computer, this is almost as (un-)safe as the Windowspassword.
Installation
Extract all files from the zip to a folder, e.g. C:\IdislikeWindows\. Then run installtion.exe, make sure you run the installer with administrator rights. You need an internet connection for that, so the progamm can generate a QR Code, that you then scan with your phone (apk attached below).
After entering your first generated key you're good to go.
Make sure that you never remove or rename that folder or any files in it!
Removal
Just double click on Uninstall.exe. If you used the graphical login before, select that option. Make sure you run the uninstaller with administrator rights.
What works doesn't work (yet)
- Impress with a fancy UI
- It won't work on Windows 9x (won't be supported)
- Users can still Alt+Tab / Win+R
- Users can still open Taskmanager (this is done for debugging)
- Synchronize if you have to phones
- Multiple Accounts
- Non-admin Accounts
- Phone App stores only one passphrase
... and much more I guess.
Tested on
- Windows XP
For safety reasons, the Windows part won't work after 2nd of July. But I will upload a new version until then
So go ahead, test this app and report many bugs I bet there are a lot. In addition I'm curious if it works on Win7 and Vista as well.
If something goes wrong, you can always start uninstall.exe with your taskmanager.
I'm looking forward for your feedback!
Thanks,
Marc
Update 22/06/2011:
- added Vista/Win7 Manifests
- Ping not done via RawSocket, so it is possible to install on Vista/Win7
- Remote Sessions should trigger 2FA as well.
Screenshots:
forceu said:
2 Factor Authentication for Windows alpha
Hey folks,
this is my alpha preview of my 2Factor Authentication App for Android/Windows.
.......
What does this app do?
It adds a second screen after you entered your password, asking for a pin. This pin can be generated by your mobile phone and only used once.
The screen will open everytime you login, even after Standby/Hibernate/LockScreen.
Who should use it?
Paranoid people like me, especially these that own a laptop. If someone gets your windowspassword via keylogger or phishing, he still can't login.
In addition you could use the Windows auto-login (loads up all your autostarts) and would be still required to enter a code.
......
Click to expand...
Click to collapse
Man, you are a genius, I was really looking for something like this.
One question: does it work over RDP? I have a computer a work (encased in a rack in a renderfarm) and I work by log in with Remote Desktop Connection.
Cool... Will be keeping eye on this one!
daniel.mitran said:
Man, you are a genius, I was really looking for something like this.
One question: does it work over RDP? I have a computer a work (encased in a rack in a renderfarm) and I work by log in with Remote Desktop Connection.
Click to expand...
Click to collapse
It probably won't work, but I will try it today. And I know there is a way to trigger it after someone started a remote session. I guess I will have it coded today or tomorrow
I uploaded a zip, replace the service.exe with the one in your folder and try it. As I posted above, it is not tested, so I don't know if its actually working ;-)
Feedback is always appreciated.
/edit: Sorry for double post

[Q] phone security. My phone has been hacked

I have a general question for all droid phones.
To make a long story short I have a crazy ex-wife that constantly hacks into my phone. When I get a new phone she tells me the model.
She reads thru my text messages and at times has even sent texts to my contacts.
At times when I open my phone she displays her facebook picture on the phone.
Does anyone know how to stop this???
I heard that droid phones are easy to hack by using something with the email system. If this is true is there any way to stop this?
This constant hacking is driving me crazy. My service provoder will not help no matter who I talk to.
Any advice would be greatly appreciated.
Jerry
Yeah get a restraining order... The perfect way to deal with a crazy X. Been there.
You should lock your phone. iPhone, Android, Blackberry, and WP7 all allow you to use a 4 digit code or something else (pattern, password) to lock your phone. Don't tell her what it is, and she won't be able to unlock your phone. I would be surprised if she has the ability to "hack" past that.
raydowe said:
You should lock your phone. iPhone, Android, Blackberry, and WP7 all allow you to use a 4 digit code or something else (pattern, password) to lock your phone. Don't tell her what it is, and she won't be able to unlock your phone. I would be surprised if she has the ability to "hack" past that.
Click to expand...
Click to collapse
Minus, or so I am guessing, she isn't any where near him when she does it...
In other words, the phone could be in his pocket, and she would still be able to hack it...
I've never heard of anything like this being done without physical access or even knowing what model phone the person has, have you? I guess if someone had access to your google account they could remotely install apps through the marketplace.
It looks like she has access to your google account sync to your droid and installed any "spy" app. Try changing your account's password, do a factory reset and don't allow any backup.
raydowe said:
they could remotely install apps through the marketplace.
Click to expand...
Click to collapse
If she has his email and password, I can see it possible. But either way if the phone company wont do anything. Then the easiest way is to serve her with a restraining order. My ex was this way and I had to freaking move states in order to get the hell away from her.
Even so she still followed and harassed me in the state I am in. Not in person. Electronically. I just ignored her, and the problems went away eventually.... His ex sound pretty persistent. That gets annoying QUICK! like you start having evil thoughts annoying.
Therefore I say get a restraining order. You may even be able to get a fee wavier if you qualify for it.
Change your google passwords, phone co. account password (if you pay online) lock you phone and any other accounts associated with your phone. Do get a restraining order!
Sent from my Radar 4G using XDA Windows Phone 7 App
Wow I feel sorry for you man it sounds crazy... Hope you can life through it and fix everything.
raydowe said:
You should lock your phone. iPhone, Android, Blackberry, and WP7 all allow you to use a 4 digit code or something else (pattern, password) to lock your phone. Don't tell her what it is, and she won't be able to unlock your phone. I would be surprised if she has the ability to "hack" past that.
Click to expand...
Click to collapse
You're missing the point, this crazy woman is his ex wife so there's no way she's putting her hands on his phone but she hacks him anyway from remote !
Your wife is really crazy to do such things! Get a restraining order. Change every account associated with the device. Create new ones. Hope things would definitely change!
extrem0 said:
It looks like she has access to your google account sync to your droid and installed any "spy" app. Try changing your account's password, do a factory reset and don't allow any backup.
Click to expand...
Click to collapse
sorry but why do not allow any backup? what's the problem with the backup? I was hacked in a similar way and the only thing I did was clicking on a fake video I was tagged on Facebook, which installed a remote access tool. And similarly to the author of this thread, the hacker can now read my whatsapp, facebook, instagram and gallery pictures no matter how many password I change or 2FA. I would like so much to get rid of it.

How security improvements can make your device more vulnerable (sic!)

First of - I'm just an everyday user of Android device, never interested in hacking or any other "advanced" use of computers and likes. My greatest achievements so far are jailbreaking Iphone, rooting an Android phone and installing stock ROM on it. You can call me a noob. However - I like to improve things I use and I also value my privacy. That's why I installed a software that locks access to certain apps on my phone. I recently found this app actually made an opposite - it made my device vulnerable to identity theft and potential financial loss. I wouldn't really bother telling my story if developers didn't delete my one-star-rating with a brief description of the problem right after I posted it in Play store.
So, to the point. I installed CM Security and app lock app (nearly 14 millions of users and 4,7 rating) and locked some of the "sensitive" apps with it. One evening I was bored enough to try and play "a hacker" who "found my phone" and see what such person could do. Considering "a hacker" somehow managed to unlock the device he'd now encounter my second line of the defense - the mighty app locker. And now, in a few short steps I'll show you how much damage you can do with it:
1. First it obviously asks you for an unlocking password/pattern, but -as you don't know it - you hit in-app menu button and choose "forgot password?" option.
2. It asks you to log in to your Google account in order to reset the password (YES, you can access Google password recovery from inside the app, so even if you lock your device's Settings, your mail client and so on, you can still access the most vulnerable option of your account from "security" app).
3. As you don't know a Google password you hit the "forgot password" link that starts Google password reset process.
4. It will ask you for the "last password you remember", but you can just say you don't know it and then it gives you an option to get a verification code by SMS - chances are it will be sent to the device you're just holding in your hands. And these chances are big.
5. After you get a verification code you're in. You can now set a new Google account password and reset app locker password/pattern.
It's that easy. You not only unlocked an app locker but also got access to Google account which gives you pretty much endless possibilities, including purchase of some apps in the Play Store as it stores your card details and you only need an account password to authenticate the purchase. You can also try to restore Ebay or Paypal passwords or even try to get directly into bank accounts via banking apps. Sky is the limit.
I already deleted CM "security" app and looked for some replacement. I wasn't really surprised it's kind of a standard that when you install them, security apps ask you to give your Google account details just in case you need to recover your password in a future. And they often make you think that giving these details is an integral part of installation process, a must-do that is necessary for an app to install and work. Some apps, like CM "security" don't even ask - they just use your Google account details and don't give you a chance to give up such option.
After all - here's some advice I can give:
1. Don't install any security software that connects to your Google account and gives "password reset" options;
2. Don't give Google your mobile number, even if it seems convinient;
3. Don't use your Google account address as your contact information in "owner info" option of your device.
If you have any other suggestions that may improve security, please share.
Cheers
Question is why you didn't lock your device in the first place.
I think you are misappling this feature 's benefit/use. It is not there, IMO, to secure your phone from an advesary that has even brief access to your phone.
That is what a combination of a lock screen pwd,short for convenience, and full encryption using a separate and longer pwd of high entropy/randomness is for. Even with that its important to understand how it works and its limitations. Such as it does not encrypt.the ext sd card data. So if you put apps or privledged data there you either should not or using other means to encrypt it. One such way would be to use truecrypt to encrypt it using a pc, being the easiest and then use one of the apks that gives suports accessing those types of partitions/files.
The function you are speaking of is ther to prevent people you have a large degree of trust in such as a family member or close.friend possibly that you may allow to use your phone but do not want them to be able to access private data. Think of a parent allowing their child to use the phone to play a game but does not want them scewing up email or going into their bank app and randoming clicking around etc...
I hope you get the idea. Its not there to prevent someone that means to do you direct intentional harm.
I also want to point out my comments are only directed at the most basic level and only deal with physical secure of data on the phone and not the phone itself nor from remote access or privacy.
Also want to point out that a screen lock pwd is nothing but a inconvenience at best to someone wanting access to your data. A quick reboot into recovery and a bkup to a sd card will get them all your data and any weakly secured credentials there in. Its only one part of physical security, of which, is only itself one part in over all data security, which itself, is only a part of data privacy. Its a large house of cards and removing one or putting one little piece in just slightly the wrong place and collapse the whole house.
Its hard to do just the small piece of each of these parts correctly and exrremely hard to.combine all the small and large parts together for a total protection scheme. It takes considerable research and learning to do these things especially if your goals are for higher levles of security and privacy.
As an example someone that really wants their phone data ue on android to be private from commerical.data collection which via proxy means all gov access to said data would never install goggle play store or any google app on their device. That is just one glaring example of many.
http://ad.cmcm.com/en/?f=home-en-top
Cheetah Mobile is spyware. watch the video on their website
I would suggest using the built-in encryption on Android. I don't use it myself, but have the Avira app installed. I like their PC software, and gave it a try.
It can be used to track a lost phone or lock it remotely. Since I have rooted my Huawei G300 it complains a bit, but still scans all apps being installed.
bigeasy911 said:
I think you are misappling this feature 's benefit/use. It is not there, IMO, to secure your phone from an advesary that has even brief access to your phone.
Click to expand...
Click to collapse
Fact is still that this app claims it provides certain security, yet it doesn't. Not everyone will realize this. So it's always good that people keep pointing this out.
Nearly a year gone since I posted this and now I returned to "AppLockers" during my mobile security research. This is such a bad thing I can't believe apps of this kind are accepted by PlayStore and not banned eternally as the most fake security solution that ever existed. What surprised me even more, "serious" companies, eg. Norton are also in this business... anyway
I checked this one first - Best App Lock - it's "best", right? And it's got 4.5 stars rating with 1,000,000 - 5,000,000 downloads.
I set it up, set the PIN, locked test app - everything seems fine.. as long as you don't go to Settings > Apps and don't force stop Best App Lock, because then - your protection is gone. But OK, you can also lock Settings and prevent such tricks and it works... as long as you don't use Activity Launcher to call App Lock's pin reset activity... Yes, you can reset the PIN without even opening the app itself.
Now, Best App Lock was clearly made by some amateur, so let's see what pros got for us, the big ones. I checked mentioned Norton App Lock, with 4.6 rating and surprisingly not as popular, with "only" 500,000 - 1,000,000 downloads. It's a bit better, it only contains one activity, so you can't bypass it easily, because the app itself is protected with a pattern, but here's another trick - reboot device in Safe Mode and you can disable Norton's permission to draw over other apps to make it helpless as a baby. Or you can just uninstall it in SM. I didn't check anything else, because what more you can do to prevent such workaround, than Norton already did?
If someone is aware of a way to disable power menu, or at least the ability to disable Safe Mode on unrooted Android please share. Until then I call all the App Lock apps the biggest scam in mobile security.
minimale_ldz said:
Nearly a year gone since I posted this and now I returned to "AppLockers" during my mobile security research. This is such a bad thing I can't believe apps of this kind are accepted by PlayStore and not banned eternally as the most fake security solution that ever existed. What surprised me even more, "serious" companies, eg. Norton are also in this business... anyway
I checked this one first - Best App Lock - it's "best", right? And it's got 4.5 stars rating with 1,000,000 - 5,000,000 downloads.
I set it up, set the PIN, locked test app - everything seems fine.. as long as you don't go to Settings > Apps and don't force stop Best App Lock, because then - your protection is gone. But OK, you can also lock Settings and prevent such tricks and it works... as long as you don't use Activity Launcher to call App Lock's pin reset activity... Yes, you can reset the PIN without even opening the app itself.
Now, Best App Lock was clearly made by some amateur, so let's see what pros got for us, the big ones. I checked mentioned Norton App Lock, with 4.6 rating and surprisingly not as popular, with "only" 500,000 - 1,000,000 downloads. It's a bit better, it only contains one activity, so you can't bypass it easily, because the app itself is protected with a pattern, but here's another trick - reboot device in Safe Mode and you can disable Norton's permission to draw over other apps to make it helpless as a baby. Or you can just uninstall it in SM. I didn't check anything else, because what more you can do to prevent such workaround, than Norton already did?
If someone is aware of a way to disable power menu, or at least the ability to disable Safe Mode on unrooted Android please share. Until then I call all the App Lock apps the biggest scam in mobile security.
Click to expand...
Click to collapse
The first step to real security is removing all Googleapps and Google account. There is no other way around this. Next, don't install any app that is not open source. Also, don't use any recovery. And finally, either epoxy your entire usb port, if you have let's say a magnetic charging port or cut all usb port pins except for 2 for charging. In addition, you should open the phone and epoxy usb port and contacts from inside, so that it can't be replaced. Or even better: epoxy your entire motherboard. That would take care of UART socket or any other way of entering CPU/GPU/RAM from inside. Encrypt your phone. After that, your phone couldn't be penetrated (other than through the air/baseband, which is a whole different level of sophistication). If someone targets you over the baseband, throw your phone and run for your freedom...
Seriously, in the above scenario, no one can have access to your data: no fastboot, no adb, no recovery. They wouldn't be able to replace kernel, recovery, system or use any OEM official flashing method... . I welcome any suggestion to hack such a device...
minimale_ldz said:
Nearly a year gone since I posted this and now I returned to "AppLockers" during my mobile security research. This is such a bad thing I can't believe apps of this kind are accepted by PlayStore and not banned eternally as the most fake security solution that ever existed. What surprised me even more, "serious" companies, eg. Norton are also in this business... anyway
I checked this one first - Best App Lock - it's "best", right? And it's got 4.5 stars rating with 1,000,000 - 5,000,000 downloads.
I set it up, set the PIN, locked test app - everything seems fine.. as long as you don't go to Settings > Apps and don't force stop Best App Lock, because then - your protection is gone. But OK, you can also lock Settings and prevent such tricks and it works... as long as you don't use Activity Launcher to call App Lock's pin reset activity... Yes, you can reset the PIN without even opening the app itself.
Now, Best App Lock was clearly made by some amateur, so let's see what pros got for us, the big ones. I checked mentioned Norton App Lock, with 4.6 rating and surprisingly not as popular, with "only" 500,000 - 1,000,000 downloads. It's a bit better, it only contains one activity, so you can't bypass it easily, because the app itself is protected with a pattern, but here's another trick - reboot device in Safe Mode and you can disable Norton's permission to draw over other apps to make it helpless as a baby. Or you can just uninstall it in SM. I didn't check anything else, because what more you can do to prevent such workaround, than Norton already did?
If someone is aware of a way to disable power menu, or at least the ability to disable Safe Mode on unrooted Android please share. Until then I call all the App Lock apps the biggest scam in mobile security.
Click to expand...
Click to collapse
Reviews or star ratings are not always very reliable, just use as a rough guide .... (In my opinion SOME of those Chinese apps seem to be amongst the worst offenders)
https://techcrunch.com/2014/05/27/f...unes-but-google-play-has-the-worst-offenders/
optimumpro said:
The first step to real security is removing all Googleapps and Google account. There is no other way around this. Next, don't install any app that is not open source. Also, don't use any recovery. And finally, either epoxy your entire usb port, if you have let's say a magnetic charging port or cut all usb port pins except for 2 for charging. In addition, you should open the phone and epoxy usb port and contacts from inside, so that it can't be replaced. Or even better: epoxy your entire motherboard. That would take care of UART socket or any other way of entering CPU/GPU/RAM from inside. Encrypt your phone. After that, your phone couldn't be penetrated (other than through the air/baseband, which is a whole different level of sophistication). If someone targets you over the baseband, throw your phone and run for your freedom...
Seriously, in the above scenario, no one can have access to your data: no fastboot, no adb, no recovery. They wouldn't be able to replace kernel, recovery, system or use any OEM official flashing method... . I welcome any suggestion to hack such a device...
Click to expand...
Click to collapse
Well you forgot SD card, unless you encrypt that as well, which for a user who uses the card for transferring files across different devices is not such a bright idea.
using epoxy could slow down the hack, and seriously give more trouble to the user than the hacker.
that being said your idea of securing the data is somewhat clear but really a secured device? cause epoxy can be penetrated as well, lock screen can also be bypassed, even without Google and a recovery.
it might take more time than hacking an average device, but still it can be done and most probably the hacker would be the same owner. cause he forgot the damn password and is looking to get back the data.
the more we try to secure, the more we make our lives tough.
billysam said:
Well you forgot SD card, unless you encrypt that as well, which for a user who uses the card for transferring files across different devices is not such a bright idea.
using epoxy could slow down the hack, and seriously give more trouble to the user than the hacker.
that being said your idea of securing the data is somewhat clear but really a secured device? cause epoxy can be penetrated as well, lock screen can also be bypassed, even without Google and a recovery.
it might take more time than hacking an average device, but still it can be done and most probably the hacker would be the same owner. cause he forgot the d
amn password and is looking to get back the data.
the more we try to secure, the more we make our lives tough.
Click to expand...
Click to collapse
Epoxy: Knowing how small and fragile phone motherboards are, I think you will most likely damage the board while trying to penetrate epoxy... Maybe you shouldn't epoxy the usb port on the ouside, but cut the data pins and epoxy on the inside to not give a hint to an attacker. Anyway, I wish an attacker fun time trying to remove epoxy...
The point of encryption is to protect data when the phone is off. So, it makes sense that for someone without a password, the phone turns into a brick. And if you tend to forget the password, then write it down somewhere other than the phone...
Mobile security is a myth. At best it is a door knit lock. Will keep honest People honest but won't stop someone from. Really trying and doing it.
I see lots of talk from people about security and yet these same people use Facebook which has enough holes in it that anyone could hack someone else pc. I use it all the time to mess with people. The looks on their faces are priceless.

Categories

Resources